This invention relates generally to application-level security systems, and more particularly, to web application security systems collecting information about application-level functional user behavior, and correlating the information collected with evaluation patterns to detect security threats before the attacks occur.
Security is one of the largest concerns and markets for Internet. The security threat to Internet-based commerce grows daily, as more users and companies access sensitive information over the Internet, such as credit card information and employee records. The majority of the solutions for Internet security are focused on the network, the operating environment of the servers, and the data.
For example, one of the prevailing solutions to Internet security has been network firewalls. Network firewalls block unauthorized access to assets and allow certain kinds of access to occur (e.g., for authorized users such as customers). For example, a network firewall can block communications originating from a particular IP address. Network-level security solutions such as hardware firewalls usually implement rules or access control lists for determining access permissions. For example, hardware firewalls can protecting a private network by limiting the access permissions of outside network traffic.
Protection at the application-level, however, has been largely neglected. Web applications written and deployed without security as a prime consideration can inadvertently expose sensitive or confidential information, facilitate web site defacement, provide access to private networks, perpetrate denial of service (DoS) attacks, and facilitate unhindered access to back-end databases. The stakes are high, and threats must be detected and remediated, before an attacker has a chance to launch an attack against the application.
Attackers are discovering that manipulating applications to gain access through the open doors of the hardware firewall is more effective. These attacks work by exploiting the web server and the applications it runs to enter through the same open door in the perimeter defenses that normal users (e.g., customers) use to access the website. In such instances, attackers generally exploit vulnerabilities in the code of the web application. One example of an application-level attack is SQL injection. Web applications vulnerable to this type of attack often use user input, such as text input in form fields, to construct SQL queries by concatenating the text received from the user with SQL code to form a SQL query. If the appropriate text is submitted through the form field such that a malicious query is formed instead of the intended query, the web application may return information not intended for the user, such as passwords, or other kinds of personal information.
Existing security solutions aimed at application-level attacks, such as Juniper Network's network firewalls, offers a packet-level solution to inspect the payload of a packet and stores the history of network traffic to model application-level activities. For instance, to protect against SQL injection, the network firewall inspects the packet payload data for special symbols. However, these solutions inspect packets at the network-level and requires reassembly, scrubbing, and normalization, because application-level activity is fragmented and out of order. The process of analyzing packet payloads to interpret the intent of the application data is difficult, cumbersome, and introduces significant overhead. Packet-level solutions cannot keep track of browser sessions easily, because session information, such as the data associated with browser session cookies, is not coherent at the network level. Packet-level solutions cannot also distinguish network traffic coming from one application to another easily. Packet-level solutions are also expensive, and can slow down the speed of the network significantly as the firewall filters these packets for application data. Furthermore, packet-level solutions cannot be adapted and modified easily based on the particular application. Additionally, packet-level solutions cannot accurately and adequately track functional behavior on an application, because packet-level solutions can only interpret and attempt to reconstruct the application-level user behavior from the raw packet data. Reconstruction of the raw packet data introduces ambiguity and reduces the performance of the security system. Moreover, existing solutions do not automatically learn new patterns of benign and/or malicious behavior, and can only work with a given set of threat signatures (i.e. threat signatures provided by the hardware vendor or system administrators).
It is difficult to distinguish malicious activity on the application-level (e.g., functional abuse) from normal, everyday web traffic at the network-level. Application attacks cannot be adequately prevented by intrusion-then-detection methods, network firewalls, or even encryption. There exists a need for a solution that can prevent application-level attacks and eliminate the shortcomings of the existing solutions.